diff options
| author | Julius Goryavsky <julius.goryavsky@mariadb.com> | 2021-12-14 03:20:37 +0100 |
|---|---|---|
| committer | Julius Goryavsky <julius.goryavsky@mariadb.com> | 2021-12-14 03:21:34 +0100 |
| commit | 99972ccfb40952b6304be757c74ea90e0a9d6997 (patch) | |
| tree | 6fbc23af2d92a8128c3bf0c57f083242475ca2f8 | |
| parent | 0e78f63f5c91b5ec680a8214734baf9fd3893b64 (diff) | |
| download | mariadb-git-bb-10.2-MDEV-27181.tar.gz | |
Additional changesbb-10.2-MDEV-27181
| l--------- | mysql-test/std_data/capath/3106f582.0 | 1 | ||||
| -rw-r--r-- | mysql-test/std_data/capath/cacert.pem | 79 | ||||
| l--------- | mysql-test/std_data/capath/ed1f42db.0 | 1 | ||||
| -rw-r--r-- | mysql-test/suite/galera/r/galera_sst_rsync_encrypt_with_capath.result | 398 | ||||
| -rw-r--r-- | mysql-test/suite/galera/r/galera_sst_rsync_encrypt_with_key.result | 2 | ||||
| -rw-r--r-- | mysql-test/suite/galera/r/galera_sst_rsync_encrypt_with_server.result | 2 | ||||
| -rw-r--r-- | mysql-test/suite/galera/t/galera_sst_rsync_encrypt_with_capath.cnf | 20 | ||||
| -rw-r--r-- | mysql-test/suite/galera/t/galera_sst_rsync_encrypt_with_capath.test | 26 | ||||
| -rw-r--r-- | mysql-test/suite/galera/t/galera_sst_rsync_encrypt_with_key.test | 3 | ||||
| -rw-r--r-- | mysql-test/suite/galera/t/galera_sst_rsync_encrypt_with_server.test | 3 | ||||
| -rw-r--r-- | scripts/wsrep_sst_common.sh | 44 | ||||
| -rw-r--r-- | scripts/wsrep_sst_mariabackup.sh | 130 | ||||
| -rw-r--r-- | scripts/wsrep_sst_rsync.sh | 51 | ||||
| -rw-r--r-- | scripts/wsrep_sst_xtrabackup-v2.sh | 144 | ||||
| -rw-r--r-- | scripts/wsrep_sst_xtrabackup.sh | 2 | ||||
| -rw-r--r-- | vio/viosslfactories.c | 17 |
16 files changed, 733 insertions, 190 deletions
diff --git a/mysql-test/std_data/capath/3106f582.0 b/mysql-test/std_data/capath/3106f582.0 new file mode 120000 index 00000000000..1310cfcff20 --- /dev/null +++ b/mysql-test/std_data/capath/3106f582.0 @@ -0,0 +1 @@ +cacert.pem
\ No newline at end of file diff --git a/mysql-test/std_data/capath/cacert.pem b/mysql-test/std_data/capath/cacert.pem new file mode 100644 index 00000000000..23dda2318e1 --- /dev/null +++ b/mysql-test/std_data/capath/cacert.pem @@ -0,0 +1,79 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + d0:4d:23:85:ee:59:b3:fa + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN=cacert, C=FI, ST=Helsinki, L=Helsinki, O=MariaDB + Validity + Not Before: Jan 27 10:11:10 2019 GMT + Not After : Jan 22 10:11:10 2039 GMT + Subject: CN=cacert, C=FI, ST=Helsinki, L=Helsinki, O=MariaDB + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:e8:0e:a7:84:d3:75:30:06:30:b2:10:b9:d1:88: + 36:2b:5e:f8:c8:44:57:cb:67:72:ab:96:95:33:d5: + 88:d1:8f:23:50:98:ba:6d:20:00:80:bd:35:d5:c1: + bf:98:49:c4:0a:15:4a:34:a6:21:9b:2e:8c:15:09: + f0:63:81:02:c2:7c:e2:53:e0:f7:a1:1a:40:5e:8f: + 41:4a:4c:56:d4:20:f1:d5:a7:c1:53:2e:ff:7e:37: + 17:cc:7e:74:bd:e2:22:33:ce:8c:77:62:a4:c5:3f: + 44:35:7b:7e:b9:f5:7d:8c:7a:27:58:fd:2c:42:86: + 2e:e7:6b:01:99:7b:fe:7d:a7:a1:4f:3e:39:39:54: + 1f:61:de:74:66:d1:77:4f:43:1b:66:70:29:85:de: + fc:8f:8e:1b:7b:a2:66:48:26:7f:9b:a6:fd:4a:e4: + dc:eb:ed:bd:f8:e3:f1:57:98:13:6f:f1:a3:2a:e3: + 73:bd:8d:7c:6f:4b:59:35:bc:b5:42:3e:99:a7:13: + 8d:be:2e:5c:9a:c6:5b:ab:ae:bf:00:e9:c8:ee:05: + 22:8e:d5:67:1a:47:9a:6d:9c:f9:42:3e:15:34:f8: + 31:ec:b4:7e:d3:92:95:b0:b8:f9:66:f3:bd:1d:31: + 2c:b1:90:62:a1:f8:4e:a6:5d:26:22:f0:e1:fe:16: + 2b:69 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + CA:71:99:89:F0:72:AB:75:66:BB:65:6A:03:04:72:A5:7B:95:A6:93 + X509v3 Authority Key Identifier: + keyid:CA:71:99:89:F0:72:AB:75:66:BB:65:6A:03:04:72:A5:7B:95:A6:93 + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: sha256WithRSAEncryption + df:fd:74:29:5b:5e:9a:8b:09:02:40:59:73:cb:71:47:3f:97: + 3d:a9:fd:c4:8c:01:29:c9:86:b8:71:55:ff:72:0e:50:dc:c8: + b5:e6:91:41:52:47:21:30:cc:4d:e7:3b:4b:db:55:ea:7d:46: + eb:53:e0:b7:1b:80:7c:b1:0c:d3:d1:bc:a0:73:ae:96:1f:fd: + 05:52:7e:54:d5:03:52:69:7b:34:5f:27:d7:98:da:98:76:73: + e6:bb:50:59:2a:94:90:67:03:1c:a4:76:2f:ee:ef:59:60:09: + 48:33:03:2b:52:ed:83:42:f8:71:19:7f:d8:be:40:ed:20:01: + 90:3c:7e:1c:8b:d2:9f:f3:2f:09:1f:50:c8:10:e1:8a:d9:a5: + 49:9c:0b:74:17:b9:2b:68:f6:1e:73:c2:73:10:38:b3:35:e2: + 87:91:1b:a1:d1:9b:81:9d:1b:32:cc:03:6e:4c:82:95:81:11: + 42:56:e2:16:2b:22:65:db:40:2c:ca:dc:03:f4:d5:07:cf:f5: + 13:b2:cf:51:5b:24:cd:c7:d1:9b:42:8e:f9:df:5d:1e:5a:09: + a3:4f:a9:0b:f4:21:c5:bb:ff:02:93:67:e8:2d:ee:ab:d9:59: + 76:03:2c:a1:bd:fb:dc:af:b6:82:94:71:85:53:a8:18:0d:3a: + 9e:42:eb:59 +-----BEGIN CERTIFICATE----- +MIIDfzCCAmegAwIBAgIJANBNI4XuWbP6MA0GCSqGSIb3DQEBCwUAMFYxDzANBgNV +BAMMBmNhY2VydDELMAkGA1UEBhMCRkkxETAPBgNVBAgMCEhlbHNpbmtpMREwDwYD +VQQHDAhIZWxzaW5raTEQMA4GA1UECgwHTWFyaWFEQjAeFw0xOTAxMjcxMDExMTBa +Fw0zOTAxMjIxMDExMTBaMFYxDzANBgNVBAMMBmNhY2VydDELMAkGA1UEBhMCRkkx +ETAPBgNVBAgMCEhlbHNpbmtpMREwDwYDVQQHDAhIZWxzaW5raTEQMA4GA1UECgwH +TWFyaWFEQjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOgOp4TTdTAG +MLIQudGINite+MhEV8tncquWlTPViNGPI1CYum0gAIC9NdXBv5hJxAoVSjSmIZsu +jBUJ8GOBAsJ84lPg96EaQF6PQUpMVtQg8dWnwVMu/343F8x+dL3iIjPOjHdipMU/ +RDV7frn1fYx6J1j9LEKGLudrAZl7/n2noU8+OTlUH2HedGbRd09DG2ZwKYXe/I+O +G3uiZkgmf5um/Urk3Ovtvfjj8VeYE2/xoyrjc72NfG9LWTW8tUI+macTjb4uXJrG +W6uuvwDpyO4FIo7VZxpHmm2c+UI+FTT4Mey0ftOSlbC4+WbzvR0xLLGQYqH4TqZd +JiLw4f4WK2kCAwEAAaNQME4wHQYDVR0OBBYEFMpxmYnwcqt1ZrtlagMEcqV7laaT +MB8GA1UdIwQYMBaAFMpxmYnwcqt1ZrtlagMEcqV7laaTMAwGA1UdEwQFMAMBAf8w +DQYJKoZIhvcNAQELBQADggEBAN/9dClbXpqLCQJAWXPLcUc/lz2p/cSMASnJhrhx +Vf9yDlDcyLXmkUFSRyEwzE3nO0vbVep9RutT4LcbgHyxDNPRvKBzrpYf/QVSflTV +A1JpezRfJ9eY2ph2c+a7UFkqlJBnAxykdi/u71lgCUgzAytS7YNC+HEZf9i+QO0g +AZA8fhyL0p/zLwkfUMgQ4YrZpUmcC3QXuSto9h5zwnMQOLM14oeRG6HRm4GdGzLM +A25MgpWBEUJW4hYrImXbQCzK3AP01QfP9ROyz1FbJM3H0ZtCjvnfXR5aCaNPqQv0 +IcW7/wKTZ+gt7qvZWXYDLKG9+9yvtoKUcYVTqBgNOp5C61k= +-----END CERTIFICATE----- diff --git a/mysql-test/std_data/capath/ed1f42db.0 b/mysql-test/std_data/capath/ed1f42db.0 new file mode 120000 index 00000000000..1310cfcff20 --- /dev/null +++ b/mysql-test/std_data/capath/ed1f42db.0 @@ -0,0 +1 @@ +cacert.pem
\ No newline at end of file diff --git a/mysql-test/suite/galera/r/galera_sst_rsync_encrypt_with_capath.result b/mysql-test/suite/galera/r/galera_sst_rsync_encrypt_with_capath.result new file mode 100644 index 00000000000..170ba62dd12 --- /dev/null +++ b/mysql-test/suite/galera/r/galera_sst_rsync_encrypt_with_capath.result @@ -0,0 +1,398 @@ +connection node_1; +connection node_2; +connection node_1; +Performing State Transfer on a server that has been shut down cleanly and restarted +connection node_1; +CREATE TABLE t1 (f1 CHAR(255)) ENGINE=InnoDB; +SET AUTOCOMMIT=OFF; +START TRANSACTION; +INSERT INTO t1 VALUES ('node1_committed_before'); +INSERT INTO t1 VALUES ('node1_committed_before'); +INSERT INTO t1 VALUES ('node1_committed_before'); +INSERT INTO t1 VALUES ('node1_committed_before'); +INSERT INTO t1 VALUES ('node1_committed_before'); +COMMIT; +connection node_2; +SET AUTOCOMMIT=OFF; +START TRANSACTION; +INSERT INTO t1 VALUES ('node2_committed_before'); +INSERT INTO t1 VALUES ('node2_committed_before'); +INSERT INTO t1 VALUES ('node2_committed_before'); +INSERT INTO t1 VALUES ('node2_committed_before'); +INSERT INTO t1 VALUES ('node2_committed_before'); +COMMIT; +Shutting down server ... +connection node_1; +SET AUTOCOMMIT=OFF; +START TRANSACTION; +INSERT INTO t1 VALUES ('node1_committed_during'); +INSERT INTO t1 VALUES ('node1_committed_during'); +INSERT INTO t1 VALUES ('node1_committed_during'); +INSERT INTO t1 VALUES ('node1_committed_during'); +INSERT INTO t1 VALUES ('node1_committed_during'); +COMMIT; +START TRANSACTION; +INSERT INTO t1 VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 VALUES ('node1_to_be_committed_after'); +connect node_1a_galera_st_shutdown_slave, 127.0.0.1, root, , test, $NODE_MYPORT_1; +SET AUTOCOMMIT=OFF; +START TRANSACTION; +INSERT INTO t1 VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 VALUES ('node1_to_be_rollbacked_after'); +connection node_2; +Starting server ... +SET AUTOCOMMIT=OFF; +START TRANSACTION; +INSERT INTO t1 VALUES ('node2_committed_after'); +INSERT INTO t1 VALUES ('node2_committed_after'); +INSERT INTO t1 VALUES ('node2_committed_after'); +INSERT INTO t1 VALUES ('node2_committed_after'); +INSERT INTO t1 VALUES ('node2_committed_after'); +COMMIT; +connection node_1; +INSERT INTO t1 VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 VALUES ('node1_to_be_committed_after'); +COMMIT; +SET AUTOCOMMIT=OFF; +START TRANSACTION; +INSERT INTO t1 VALUES ('node1_committed_after'); +INSERT INTO t1 VALUES ('node1_committed_after'); +INSERT INTO t1 VALUES ('node1_committed_after'); +INSERT INTO t1 VALUES ('node1_committed_after'); +INSERT INTO t1 VALUES ('node1_committed_after'); +COMMIT; +connection node_1a_galera_st_shutdown_slave; +INSERT INTO t1 VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 VALUES ('node1_to_be_rollbacked_after'); +ROLLBACK; +SELECT COUNT(*) = 35 FROM t1; +COUNT(*) = 35 +1 +SELECT COUNT(*) = 0 FROM (SELECT COUNT(*) AS c, f1 FROM t1 GROUP BY f1 HAVING c NOT IN (5, 10)) AS a1; +COUNT(*) = 0 +1 +COMMIT; +SET AUTOCOMMIT=ON; +connection node_1; +SELECT COUNT(*) = 35 FROM t1; +COUNT(*) = 35 +1 +SELECT COUNT(*) = 0 FROM (SELECT COUNT(*) AS c, f1 FROM t1 GROUP BY f1 HAVING c NOT IN (5, 10)) AS a1; +COUNT(*) = 0 +1 +DROP TABLE t1; +COMMIT; +SET AUTOCOMMIT=ON; +Performing State Transfer on a server that starts from a clean var directory +This is accomplished by shutting down node #2 and removing its var directory before restarting it +connection node_1; +CREATE TABLE t1 (f1 CHAR(255)) ENGINE=InnoDB; +SET AUTOCOMMIT=OFF; +START TRANSACTION; +INSERT INTO t1 VALUES ('node1_committed_before'); +INSERT INTO t1 VALUES ('node1_committed_before'); +INSERT INTO t1 VALUES ('node1_committed_before'); +INSERT INTO t1 VALUES ('node1_committed_before'); +INSERT INTO t1 VALUES ('node1_committed_before'); +COMMIT; +connection node_2; +SET AUTOCOMMIT=OFF; +START TRANSACTION; +INSERT INTO t1 VALUES ('node2_committed_before'); +INSERT INTO t1 VALUES ('node2_committed_before'); +INSERT INTO t1 VALUES ('node2_committed_before'); +INSERT INTO t1 VALUES ('node2_committed_before'); +INSERT INTO t1 VALUES ('node2_committed_before'); +COMMIT; +Shutting down server ... +connection node_1; +Cleaning var directory ... +SET AUTOCOMMIT=OFF; +START TRANSACTION; +INSERT INTO t1 VALUES ('node1_committed_during'); +INSERT INTO t1 VALUES ('node1_committed_during'); +INSERT INTO t1 VALUES ('node1_committed_during'); +INSERT INTO t1 VALUES ('node1_committed_during'); +INSERT INTO t1 VALUES ('node1_committed_during'); +COMMIT; +START TRANSACTION; +INSERT INTO t1 VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 VALUES ('node1_to_be_committed_after'); +connect node_1a_galera_st_clean_slave, 127.0.0.1, root, , test, $NODE_MYPORT_1; +SET AUTOCOMMIT=OFF; +START TRANSACTION; +INSERT INTO t1 VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 VALUES ('node1_to_be_rollbacked_after'); +connection node_2; +Starting server ... +SET AUTOCOMMIT=OFF; +START TRANSACTION; +INSERT INTO t1 VALUES ('node2_committed_after'); +INSERT INTO t1 VALUES ('node2_committed_after'); +INSERT INTO t1 VALUES ('node2_committed_after'); +INSERT INTO t1 VALUES ('node2_committed_after'); +INSERT INTO t1 VALUES ('node2_committed_after'); +COMMIT; +connection node_1; +INSERT INTO t1 VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 VALUES ('node1_to_be_committed_after'); +COMMIT; +SET AUTOCOMMIT=OFF; +START TRANSACTION; +INSERT INTO t1 VALUES ('node1_committed_after'); +INSERT INTO t1 VALUES ('node1_committed_after'); +INSERT INTO t1 VALUES ('node1_committed_after'); +INSERT INTO t1 VALUES ('node1_committed_after'); +INSERT INTO t1 VALUES ('node1_committed_after'); +COMMIT; +connection node_1a_galera_st_clean_slave; +INSERT INTO t1 VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 VALUES ('node1_to_be_rollbacked_after'); +ROLLBACK; +SELECT COUNT(*) = 35 FROM t1; +COUNT(*) = 35 +1 +SELECT COUNT(*) = 0 FROM (SELECT COUNT(*) AS c, f1 FROM t1 GROUP BY f1 HAVING c NOT IN (5, 10)) AS a1; +COUNT(*) = 0 +1 +COMMIT; +SET AUTOCOMMIT=ON; +connection node_1; +SELECT COUNT(*) = 35 FROM t1; +COUNT(*) = 35 +1 +SELECT COUNT(*) = 0 FROM (SELECT COUNT(*) AS c, f1 FROM t1 GROUP BY f1 HAVING c NOT IN (5, 10)) AS a1; +COUNT(*) = 0 +1 +DROP TABLE t1; +COMMIT; +SET AUTOCOMMIT=ON; +Performing State Transfer on a server that has been killed and restarted +connection node_1; +CREATE TABLE t1 (f1 CHAR(255)) ENGINE=InnoDB; +SET AUTOCOMMIT=OFF; +START TRANSACTION; +INSERT INTO t1 VALUES ('node1_committed_before'); +INSERT INTO t1 VALUES ('node1_committed_before'); +INSERT INTO t1 VALUES ('node1_committed_before'); +INSERT INTO t1 VALUES ('node1_committed_before'); +INSERT INTO t1 VALUES ('node1_committed_before'); +COMMIT; +connection node_2; +SET AUTOCOMMIT=OFF; +START TRANSACTION; +INSERT INTO t1 VALUES ('node2_committed_before'); +INSERT INTO t1 VALUES ('node2_committed_before'); +INSERT INTO t1 VALUES ('node2_committed_before'); +INSERT INTO t1 VALUES ('node2_committed_before'); +INSERT INTO t1 VALUES ('node2_committed_before'); +COMMIT; +Killing server ... +connection node_1; +SET AUTOCOMMIT=OFF; +START TRANSACTION; +INSERT INTO t1 VALUES ('node1_committed_during'); +INSERT INTO t1 VALUES ('node1_committed_during'); +INSERT INTO t1 VALUES ('node1_committed_during'); +INSERT INTO t1 VALUES ('node1_committed_during'); +INSERT INTO t1 VALUES ('node1_committed_during'); +COMMIT; +START TRANSACTION; +INSERT INTO t1 VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 VALUES ('node1_to_be_committed_after'); +connect node_1a_galera_st_kill_slave, 127.0.0.1, root, , test, $NODE_MYPORT_1; +SET AUTOCOMMIT=OFF; +START TRANSACTION; +INSERT INTO t1 VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 VALUES ('node1_to_be_rollbacked_after'); +connection node_2; +Performing --wsrep-recover ... +Starting server ... +Using --wsrep-start-position when starting mysqld ... +SET AUTOCOMMIT=OFF; +START TRANSACTION; +INSERT INTO t1 VALUES ('node2_committed_after'); +INSERT INTO t1 VALUES ('node2_committed_after'); +INSERT INTO t1 VALUES ('node2_committed_after'); +INSERT INTO t1 VALUES ('node2_committed_after'); +INSERT INTO t1 VALUES ('node2_committed_after'); +COMMIT; +connection node_1; +INSERT INTO t1 VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 VALUES ('node1_to_be_committed_after'); +COMMIT; +SET AUTOCOMMIT=OFF; +START TRANSACTION; +INSERT INTO t1 VALUES ('node1_committed_after'); +INSERT INTO t1 VALUES ('node1_committed_after'); +INSERT INTO t1 VALUES ('node1_committed_after'); +INSERT INTO t1 VALUES ('node1_committed_after'); +INSERT INTO t1 VALUES ('node1_committed_after'); +COMMIT; +connection node_1a_galera_st_kill_slave; +INSERT INTO t1 VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 VALUES ('node1_to_be_rollbacked_after'); +ROLLBACK; +SELECT COUNT(*) = 35 FROM t1; +COUNT(*) = 35 +1 +SELECT COUNT(*) = 0 FROM (SELECT COUNT(*) AS c, f1 FROM t1 GROUP BY f1 HAVING c NOT IN (5, 10)) AS a1; +COUNT(*) = 0 +1 +COMMIT; +SET AUTOCOMMIT=ON; +connection node_1; +SELECT COUNT(*) = 35 FROM t1; +COUNT(*) = 35 +1 +SELECT COUNT(*) = 0 FROM (SELECT COUNT(*) AS c, f1 FROM t1 GROUP BY f1 HAVING c NOT IN (5, 10)) AS a1; +COUNT(*) = 0 +1 +DROP TABLE t1; +COMMIT; +SET AUTOCOMMIT=ON; +Performing State Transfer on a server that has been killed and restarted +while a DDL was in progress on it +connection node_1; +CREATE TABLE t1 (f1 CHAR(255)) ENGINE=InnoDB; +SET AUTOCOMMIT=OFF; +START TRANSACTION; +INSERT INTO t1 VALUES ('node1_committed_before'); +INSERT INTO t1 VALUES ('node1_committed_before'); +INSERT INTO t1 VALUES ('node1_committed_before'); +INSERT INTO t1 VALUES ('node1_committed_before'); +INSERT INTO t1 VALUES ('node1_committed_before'); +connection node_2; +START TRANSACTION; +INSERT INTO t1 VALUES ('node2_committed_before'); +INSERT INTO t1 VALUES ('node2_committed_before'); +INSERT INTO t1 VALUES ('node2_committed_before'); +INSERT INTO t1 VALUES ('node2_committed_before'); +INSERT INTO t1 VALUES ('node2_committed_before'); +COMMIT; +SET GLOBAL debug_dbug = 'd,sync.alter_opened_table'; +connection node_1; +ALTER TABLE t1 ADD COLUMN f2 INTEGER; +connection node_2; +SET wsrep_sync_wait = 0; +Killing server ... +connection node_1; +SET AUTOCOMMIT=OFF; +START TRANSACTION; +INSERT INTO t1 (f1) VALUES ('node1_committed_during'); +INSERT INTO t1 (f1) VALUES ('node1_committed_during'); +INSERT INTO t1 (f1) VALUES ('node1_committed_during'); +INSERT INTO t1 (f1) VALUES ('node1_committed_during'); +INSERT INTO t1 (f1) VALUES ('node1_committed_during'); +COMMIT; +START TRANSACTION; +INSERT INTO t1 (f1) VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 (f1) VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 (f1) VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 (f1) VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 (f1) VALUES ('node1_to_be_committed_after'); +connect node_1a_galera_st_kill_slave_ddl, 127.0.0.1, root, , test, $NODE_MYPORT_1; +SET AUTOCOMMIT=OFF; +START TRANSACTION; +INSERT INTO t1 (f1) VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 (f1) VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 (f1) VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 (f1) VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 (f1) VALUES ('node1_to_be_rollbacked_after'); +connection node_2; +Performing --wsrep-recover ... +connection node_2; +Starting server ... +Using --wsrep-start-position when starting mysqld ... +SET AUTOCOMMIT=OFF; +START TRANSACTION; +INSERT INTO t1 (f1) VALUES ('node2_committed_after'); +INSERT INTO t1 (f1) VALUES ('node2_committed_after'); +INSERT INTO t1 (f1) VALUES ('node2_committed_after'); +INSERT INTO t1 (f1) VALUES ('node2_committed_after'); +INSERT INTO t1 (f1) VALUES ('node2_committed_after'); +COMMIT; +connection node_1; +INSERT INTO t1 (f1) VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 (f1) VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 (f1) VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 (f1) VALUES ('node1_to_be_committed_after'); +INSERT INTO t1 (f1) VALUES ('node1_to_be_committed_after'); +COMMIT; +SET AUTOCOMMIT=OFF; +START TRANSACTION; +INSERT INTO t1 (f1) VALUES ('node1_committed_after'); +INSERT INTO t1 (f1) VALUES ('node1_committed_after'); +INSERT INTO t1 (f1) VALUES ('node1_committed_after'); +INSERT INTO t1 (f1) VALUES ('node1_committed_after'); +INSERT INTO t1 (f1) VALUES ('node1_committed_after'); +COMMIT; +connection node_1a_galera_st_kill_slave_ddl; +INSERT INTO t1 (f1) VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 (f1) VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 (f1) VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 (f1) VALUES ('node1_to_be_rollbacked_after'); +INSERT INTO t1 (f1) VALUES ('node1_to_be_rollbacked_after'); +ROLLBACK; +SELECT COUNT(*) = 2 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 't1'; +COUNT(*) = 2 +1 +SELECT COUNT(*) = 35 FROM t1; +COUNT(*) = 35 +1 +SELECT COUNT(*) = 0 FROM (SELECT COUNT(*) AS c, f1 FROM t1 GROUP BY f1 HAVING c NOT IN (5, 10)) AS a1; +COUNT(*) = 0 +1 +COMMIT; +SET AUTOCOMMIT=ON; +connection node_1; +SELECT COUNT(*) = 2 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 't1'; +COUNT(*) = 2 +1 +SELECT COUNT(*) = 35 FROM t1; +COUNT(*) = 35 +1 +SELECT COUNT(*) = 0 FROM (SELECT COUNT(*) AS c, f1 FROM t1 GROUP BY f1 HAVING c NOT IN (5, 10)) AS a1; +COUNT(*) = 0 +1 +DROP TABLE t1; +COMMIT; +SET AUTOCOMMIT=ON; +SET GLOBAL debug_dbug = $debug_orig; +include/assert_grep.inc [Using stunnel for SSL encryption] diff --git a/mysql-test/suite/galera/r/galera_sst_rsync_encrypt_with_key.result b/mysql-test/suite/galera/r/galera_sst_rsync_encrypt_with_key.result index 251c087412b..170ba62dd12 100644 --- a/mysql-test/suite/galera/r/galera_sst_rsync_encrypt_with_key.result +++ b/mysql-test/suite/galera/r/galera_sst_rsync_encrypt_with_key.result @@ -1,7 +1,5 @@ connection node_1; connection node_2; -connection node_2; -CALL mtr.add_suppression("\\[ERROR\\] .*ib_buffer_pool' for reading: No such file or directory"); connection node_1; Performing State Transfer on a server that has been shut down cleanly and restarted connection node_1; diff --git a/mysql-test/suite/galera/r/galera_sst_rsync_encrypt_with_server.result b/mysql-test/suite/galera/r/galera_sst_rsync_encrypt_with_server.result index 251c087412b..170ba62dd12 100644 --- a/mysql-test/suite/galera/r/galera_sst_rsync_encrypt_with_server.result +++ b/mysql-test/suite/galera/r/galera_sst_rsync_encrypt_with_server.result @@ -1,7 +1,5 @@ connection node_1; connection node_2; -connection node_2; -CALL mtr.add_suppression("\\[ERROR\\] .*ib_buffer_pool' for reading: No such file or directory"); connection node_1; Performing State Transfer on a server that has been shut down cleanly and restarted connection node_1; diff --git a/mysql-test/suite/galera/t/galera_sst_rsync_encrypt_with_capath.cnf b/mysql-test/suite/galera/t/galera_sst_rsync_encrypt_with_capath.cnf new file mode 100644 index 00000000000..3ab762df013 --- /dev/null +++ b/mysql-test/suite/galera/t/galera_sst_rsync_encrypt_with_capath.cnf @@ -0,0 +1,20 @@ +!include ../galera_2nodes.cnf + +[mysqld] +wsrep_sst_method=rsync +ssl-cert=@ENV.MYSQL_TEST_DIR/std_data/server-cert.pem +ssl-key=@ENV.MYSQL_TEST_DIR/std_data/server-key.pem +ssl-capath=@ENV.MYSQL_TEST_DIR/std_data/capath +# We need to turn off the default setting for the duration +# of the test (to test working with a directory instead of +# a file): +ssl-ca= + +[sst] +ssl-mode=VERIFY_CA + +[mysqld.1] +wsrep_provider_options='base_port=@mysqld.1.#galera_port;gcache.size=1;pc.ignore_sb=true' + +[mysqld.2] +wsrep_provider_options='base_port=@mysqld.2.#galera_port;gcache.size=1;pc.ignore_sb=true' diff --git a/mysql-test/suite/galera/t/galera_sst_rsync_encrypt_with_capath.test b/mysql-test/suite/galera/t/galera_sst_rsync_encrypt_with_capath.test new file mode 100644 index 00000000000..a2d92723ec4 --- /dev/null +++ b/mysql-test/suite/galera/t/galera_sst_rsync_encrypt_with_capath.test @@ -0,0 +1,26 @@ +--source include/big_test.inc +--source include/galera_cluster.inc +--source include/have_debug.inc +--source include/have_stunnel.inc + +# Save original auto_increment_offset values. +--let $node_1=node_1 +--let $node_2=node_2 +--source include/auto_increment_offset_save.inc + +--connection node_1 +--source suite/galera/include/galera_st_shutdown_slave.inc +--source suite/galera/include/galera_st_clean_slave.inc + +--source suite/galera/include/galera_st_kill_slave.inc +--source suite/galera/include/galera_st_kill_slave_ddl.inc + +# Confirm that transfer was SSL-encrypted +--let $assert_text = Using stunnel for SSL encryption +--let $assert_select = Using stunnel for SSL encryption +--let $assert_count = 5 +--let $assert_file = $MYSQLTEST_VARDIR/log/mysqld.1.err +--let $assert_only_after = CURRENT_TEST +--source include/assert_grep.inc + +--source include/auto_increment_offset_restore.inc diff --git a/mysql-test/suite/galera/t/galera_sst_rsync_encrypt_with_key.test b/mysql-test/suite/galera/t/galera_sst_rsync_encrypt_with_key.test index 838c473b9ce..a2d92723ec4 100644 --- a/mysql-test/suite/galera/t/galera_sst_rsync_encrypt_with_key.test +++ b/mysql-test/suite/galera/t/galera_sst_rsync_encrypt_with_key.test @@ -8,9 +8,6 @@ --let $node_2=node_2 --source include/auto_increment_offset_save.inc ---connection node_2 -CALL mtr.add_suppression("\\[ERROR\\] .*ib_buffer_pool' for reading: No such file or directory"); - --connection node_1 --source suite/galera/include/galera_st_shutdown_slave.inc --source suite/galera/include/galera_st_clean_slave.inc diff --git a/mysql-test/suite/galera/t/galera_sst_rsync_encrypt_with_server.test b/mysql-test/suite/galera/t/galera_sst_rsync_encrypt_with_server.test index 838c473b9ce..a2d92723ec4 100644 --- a/mysql-test/suite/galera/t/galera_sst_rsync_encrypt_with_server.test +++ b/mysql-test/suite/galera/t/galera_sst_rsync_encrypt_with_server.test @@ -8,9 +8,6 @@ --let $node_2=node_2 --source include/auto_increment_offset_save.inc ---connection node_2 -CALL mtr.add_suppression("\\[ERROR\\] .*ib_buffer_pool' for reading: No such file or directory"); - --connection node_1 --source suite/galera/include/galera_st_shutdown_slave.inc --source suite/galera/include/galera_st_clean_slave.inc diff --git a/scripts/wsrep_sst_common.sh b/scripts/wsrep_sst_common.sh index ba2c937b14b..5c84aa7c17f 100644 --- a/scripts/wsrep_sst_common.sh +++ b/scripts/wsrep_sst_common.sh @@ -585,7 +585,7 @@ get_binlog() if [ -n "$WSREP_SST_OPT_ADDR_PORT" ]; then if [ -n "$WSREP_SST_OPT_PORT" ]; then if [ "$WSREP_SST_OPT_PORT" != "$WSREP_SST_OPT_ADDR_PORT" ]; then - echo "WSREP_SST: [ERROR] port in --port=$WSREP_SST_OPT_PORT " \ + echo "WSREP_SST: [ERROR] port in --port=$WSREP_SST_OPT_PORT" \ "differs from port in --address=$WSREP_SST_OPT_ADDR" >&2 exit 2 fi @@ -1010,7 +1010,7 @@ check_sockets_utils() $sockstat_available -eq 0 -a \ $ss_available -eq 0 ] then - wsrep_log_error "Neither lsof, nor sockstat or ss tool was found in " \ + wsrep_log_error "Neither lsof, nor sockstat or ss tool was found in" \ "the PATH. Make sure you have it installed." exit 2 # ENOENT fi @@ -1095,9 +1095,9 @@ check_for_dhparams() # verify_ca_matches_cert() { - local ca="$1" - local cert="$2" - local path=${3:-0} + local cert="$1" + local ca="$2" + local cap="$3" # If the openssl utility is not installed, then # we will not do this certificate check: @@ -1107,19 +1107,25 @@ verify_ca_matches_cert() return fi - local not_match=0 - local opt="-CAfile" + local readable=1; [ ! -r "$cert" ] && readable=0 + [ -n "$ca" ] && [ ! -r "$ca" ] && readable=0 + [ -n "$cap" ] && [ ! -r "$cap" ] && readable=0 - if [ $path -ne 0 ]; then - opt="-CApath" + if [ readable -eq 0 ]; then + wsrep_log_error \ + "Both PEM file and CA file (or path) must be readable" + exit 22 fi + local not_match=0 local errmsg - local cmd="\"$OPENSSL_BINARY\" verify -verbose $opt \"$ca\" \"$cert\"" - errmsg=$("$OPENSSL_BINARY" verify -verbose $opt "$ca" "$cert" 2>&1) || not_match=1 + errmsg=$("$OPENSSL_BINARY" verify -verbose \ + ${ca:+ -CAfile} ${ca:+ "$ca"} \ + ${cap:+ -CApath} ${cap:+ "$cap"} \ + "$cert" 2>&1) || not_match=1 if [ $not_match -eq 1 ]; then - wsrep_log_info "run: $cmd" + wsrep_log_info "run: \"$OPENSSL_BINARY\" verify -verbose${ca:+ -CAfile \"$ca\"}${cap:+ -CApath \"$cap\"} \"$cert\"" wsrep_log_info "output: $errmsg" wsrep_log_error "******** FATAL ERROR ********************************************" wsrep_log_error "* The certifcate and CA (certificate authority) do not match. *" @@ -1140,8 +1146,14 @@ verify_ca_matches_cert() # verify_cert_matches_key() { - local cert_path="$1" - local key_path="$2" + local cert="$1" + local key="$2" + + if [ ! -r "$key" -o ! -r "$cert" ]; then + wsrep_log_error "Both the certificate file and the key file" \ + "must be readable" + exit 22 + fi # If the diff utility is not installed, then # we will not do this certificate check: @@ -1158,8 +1170,8 @@ verify_cert_matches_key() # Generate the public key from the cert and the key. # They should match (otherwise we can't create an SSL connection). - if ! diff <("$OPENSSL_BINARY" x509 -in "$cert_path" -pubkey -noout 2>/dev/null) \ - <("$OPENSSL_BINARY" pkey -in "$key_path" -pubout 2>/dev/null) >/dev/null 2>&1 + if ! diff <("$OPENSSL_BINARY" x509 -in "$cert" -pubkey -noout 2>/dev/null) \ + <("$OPENSSL_BINARY" pkey -in "$key" -pubout 2>/dev/null) >/dev/null 2>&1 then wsrep_log_error "******************* FATAL ERROR *****************" wsrep_log_error "* The certificate and private key do not match. *" diff --git a/scripts/wsrep_sst_mariabackup.sh b/scripts/wsrep_sst_mariabackup.sh index 81bc3d76794..4bca785fcad 100644 --- a/scripts/wsrep_sst_mariabackup.sh +++ b/scripts/wsrep_sst_mariabackup.sh @@ -35,7 +35,7 @@ ssyslog="" ssystag="" BACKUP_PID="" tcert="" -tpath=0 +tcap="" tpem="" tkey="" tmode="DISABLED" @@ -146,14 +146,14 @@ get_keys() if [ $encrypt -eq 0 ]; then if [ -n "$ealgo" -o -n "$ekey" -o -n "$ekeyfile" ]; then - wsrep_log_error "Options for encryption are specified, " \ + wsrep_log_error "Options for encryption are specified," \ "but encryption itself is disabled. SST may fail." fi return fi if [ $sfmt = 'tar' ]; then - wsrep_log_info "NOTE: key-based encryption (encrypt=1) " \ + wsrep_log_info "NOTE: key-based encryption (encrypt=1)" \ "cannot be enabled with tar format" encrypt=-1 return @@ -166,16 +166,18 @@ get_keys() exit 3 fi - if [ -z "$ekey" -a ! -r "$ekeyfile" ]; then - wsrep_log_error "FATAL: Either key must be specified " \ - "or keyfile must be readable" - exit 3 + if [ -z "$ekey" ]; then + if [ ! -r "$ekeyfile" ]; then + wsrep_log_error "FATAL: Either key must be specified" \ + "or keyfile must be readable" + exit 3 + fi fi if [ "$eformat" = 'openssl' ]; then get_openssl if [ -z "$OPENSSL_BINARY" ]; then - wsrep_log_error "If encryption using the openssl is enabled, " \ + wsrep_log_error "If encryption using the openssl is enabled," \ "then you need to install openssl" exit 2 fi @@ -194,11 +196,11 @@ get_keys() fi elif [ "$eformat" = 'xbcrypt' ]; then if [ -z "$(commandex xbcrypt)" ]; then - wsrep_log_error "If encryption using the xbcrypt is enabled, " \ + wsrep_log_error "If encryption using the xbcrypt is enabled," \ "then you need to install xbcrypt" exit 2 fi - wsrep_log_info "NOTE: xbcrypt-based encryption, " \ + wsrep_log_info "NOTE: xbcrypt-based encryption," \ "supported only from Xtrabackup 2.1.4" if [ -z "$ekey" ]; then ecmd="xbcrypt --encrypt-algo='$ealgo' --encrypt-key-file='$ekeyfile'" @@ -345,40 +347,32 @@ get_transfer() if [ $encrypt -eq 2 ]; then wsrep_log_info \ "Using openssl based encryption with socat: with crt and pem" - if [ -z "$tpem" -o -z "$tcert" ]; then + if [ -z "$tpem" -o -z "$tcert$tcap" ]; then wsrep_log_error \ "Both PEM file and CRT file (or path) are required" exit 22 fi - if [ ! -r "$tpem" -o ! -r "$tcert" ]; then - wsrep_log_error \ - "Both PEM file and CRT file (or path) must be readable" - exit 22 + verify_ca_matches_cert "$tpem" "$tcert" "$tcap" + tcmd="$tcmd,cert='$tpem'" + if [ -n "$tcert" ]; then + tcmd="$tcmd,cafile='$tcert'" fi - verify_ca_matches_cert "$tcert" "$tpem" $tpath - if [ $tpath -eq 0 ]; then - tcmd="$tcmd,cert='$tpem',cafile='$tcert'" - else - tcmd="$tcmd,cert='$tpem',capath='$tcert'" + if [ -n "$tcap" ]; then + tcmd="$tcmd,capath='$tcap'" fi stagemsg="$stagemsg-OpenSSL-Encrypted-2" - wsrep_log_info "$action with cert=$tpem, ca=$tcert" + wsrep_log_info "$action with cert='$tpem', ca='$tcert', capath='$tcap'" elif [ $encrypt -eq 3 -o $encrypt -eq 4 ]; then wsrep_log_info \ "Using openssl based encryption with socat: with key and crt" if [ -z "$tpem" -o -z "$tkey" ]; then - wsrep_log_error "Both certificate file (or path) " \ - "and key file are required" - exit 22 - fi - if [ ! -r "$tpem" -o ! -r "$tkey" ]; then - wsrep_log_error "Both certificate file (or path) " \ - "and key file must be readable" + wsrep_log_error "Both the certificate file (or path) and" \ + "the key file are required" exit 22 fi verify_cert_matches_key "$tpem" "$tkey" stagemsg="$stagemsg-OpenSSL-Encrypted-3" - if [ -z "$tcert" ]; then + if [ -z "$tcert$tcap" ]; then if [ $encrypt -eq 4 ]; then wsrep_log_error \ "Peer certificate file (or path) required if encrypt=4" @@ -387,14 +381,11 @@ get_transfer() # no verification CN_option="" tcmd="$tcmd,cert='$tpem',key='$tkey',verify=0" - wsrep_log_info "$action with cert=$tpem, key=$tkey, verify=0" + wsrep_log_info \ + "$action with cert='$tpem', key='$tkey', verify=0" else # CA verification - if [ ! -r "$tcert" ]; then - wsrep_log_error "Certificate file or path must be readable" - exit 22 - fi - verify_ca_matches_cert "$tcert" "$tpem" $tpath + verify_ca_matches_cert "$tpem" "$tcert" "$tcap" if [ -n "$WSREP_SST_OPT_REMOTE_USER" ]; then CN_option=",commonname='$WSREP_SST_OPT_REMOTE_USER'" elif [ "$WSREP_SST_OPT_ROLE" = 'joiner' -o $encrypt -eq 4 ] @@ -405,12 +396,15 @@ get_transfer() else CN_option=",commonname='$WSREP_SST_OPT_HOST_UNESCAPED'" fi - if [ $tpath -eq 0 ]; then - tcmd="$tcmd,cert='$tpem',key='$tkey',cafile='$tcert'" - else - tcmd="$tcmd,cert='$tpem',key='$tkey',capath='$tcert'" + tcmd="$tcmd,cert='$tpem',key='$tkey'" + if [ -n "$tcert" ]; then + tcmd="$tcmd,cafile='$tcert'" + fi + if [ -n "$tcap" ]; then + tcmd="$tcmd,capath='$tcap'" fi - wsrep_log_info "$action with cert=$tpem, key=$tkey, ca=$tcert" + wsrep_log_info "$action with cert='$tpem', key='$tkey'," \ + "ca='$tcert', capath='$tcap'" fi else wsrep_log_info "Unknown encryption mode: encrypt=$encrypt" @@ -497,19 +491,20 @@ check_server_ssl_config() "$tkey" != "$tkey2" ] then wsrep_log_info \ - "new ssl configuration options (ssl-ca[path], ssl-cert " \ - "and ssl-key) are ignored by SST due to presence " \ + "new ssl configuration options (ssl-ca[path], ssl-cert" \ + "and ssl-key) are ignored by SST due to presence" \ "of the tca[path], tcert and/or tkey in the [sst] section" fi fi if [ -n "$tcert" ]; then tcert=$(trim_string "$tcert") - if [ "${tcert%/}" != "$tcert" ]; then - tpath=1 + if [ "${tcert%/}" != "$tcert" ] || [ -d "$tcert" ]; then + tcap="$tcert" + tcert="" fi - elif [ -n "$tcap" ]; then - tcert=$(trim_string "$tcap") - tpath=1 + fi + if [ -n "$tcap" ]; then + tcap=$(trim_string "$tcap") fi } @@ -530,11 +525,13 @@ read_cnf() if [ 0 -eq $encrypt -a -n "$tpem" -a -n "$tkey" ] then encrypt=3 # enable cert/key SSL encyption - # avoid CA verification if not set explicitly: - # nodes may happen to have different CA if self-generated - # zeroing up tcert does the trick - [ "${tmode#VERIFY}" != "$tmode" ] || tcert="" + # nodes may happen to have different CA if self-generated, + # zeroing up tcert and tcap does the trick: + if [ "${tmode#VERIFY}" = "$tmode" ]; then + tcert="" + tcap="" + fi fi fi elif [ $encrypt -eq 1 ]; then @@ -548,8 +545,9 @@ read_cnf() fi fi - wsrep_log_info "SSL configuration: CA='$tcert', CERT='$tpem'," \ - "KEY='$tkey', MODE='$tmode', encrypt='$encrypt'" + wsrep_log_info "SSL configuration: CA='$tcert', CAPATH='$tcap'," \ + "CERT='$tpem', KEY='$tkey', MODE='$tmode'," \ + "encrypt='$encrypt'" sockopt=$(parse_cnf sst sockopt "") progress=$(parse_cnf sst progress "") @@ -603,7 +601,7 @@ get_stream() { if [ "$sfmt" = 'mbstream' -o "$sfmt" = 'xbstream' ]; then sfmt='mbstream' - local STREAM_BIN=$(commandex 'mbstream') + local STREAM_BIN=$(commandex "$sfmt") if [ -z "$STREAM_BIN" ]; then wsrep_log_error "Streaming with $sfmt, but $sfmt not found in path" exit 42 @@ -775,14 +773,14 @@ recv_joiner() popd 1>/dev/null if [ ${RC[0]} -eq 124 ]; then - wsrep_log_error "Possible timeout in receiving first data from " \ + wsrep_log_error "Possible timeout in receiving first data from" \ "donor in gtid stage: exit codes: ${RC[@]}" exit 32 fi for ecode in "${RC[@]}"; do if [ $ecode -ne 0 ]; then - wsrep_log_error "Error while getting data from donor node: " \ + wsrep_log_error "Error while getting data from donor node:" \ "exit codes: ${RC[@]}" exit 32 fi @@ -791,7 +789,7 @@ recv_joiner() if [ $checkf -eq 1 ]; then if [ ! -r "$MAGIC_FILE" ]; then # this message should cause joiner to abort - wsrep_log_error "receiving process ended without creating " \ + wsrep_log_error "receiving process ended without creating" \ "'$MAGIC_FILE'" wsrep_log_info "Contents of datadir" wsrep_log_info $(ls -l "$dir/"*) @@ -826,7 +824,7 @@ send_donor() for ecode in "${RC[@]}"; do if [ $ecode -ne 0 ]; then - wsrep_log_error "Error while sending data to joiner node: " \ + wsrep_log_error "Error while sending data to joiner node:" \ "exit codes: ${RC[@]}" exit 32 fi @@ -840,7 +838,7 @@ monitor_process() while true ; do if ! ps -p "$WSREP_SST_OPT_PARENT" >/dev/null 2>&1; then wsrep_log_error \ - "Parent mysqld process (PID: $WSREP_SST_OPT_PARENT) " \ + "Parent mysqld process (PID: $WSREP_SST_OPT_PARENT)" \ "terminated unexpectedly." kill -- -"$WSREP_SST_OPT_PARENT" exit 32 @@ -1070,7 +1068,7 @@ then iopts="--databases-exclude='lost+found'${iopts:+ }$iopts" if [ ${FORCE_FTWRL:-0} -eq 1 ]; then - wsrep_log_info "Forcing FTWRL due to environment variable " \ + wsrep_log_info "Forcing FTWRL due to environment variable" \ "FORCE_FTWRL equal to $FORCE_FTWRL" iopts="--no-backup-locks${iopts:+ }$iopts" fi @@ -1097,7 +1095,7 @@ then set -e if [ ${RC[0]} -ne 0 ]; then - wsrep_log_error "mariabackup finished with error: ${RC[0]}. " \ + wsrep_log_error "mariabackup finished with error: ${RC[0]}." \ "Check syslog or '$INNOBACKUPLOG' for details" exit 22 elif [ ${RC[$(( ${#RC[@]}-1 ))]} -eq 1 ]; then @@ -1227,7 +1225,7 @@ then if ! ps -p "$WSREP_SST_OPT_PARENT" >/dev/null 2>&1 then - wsrep_log_error "Parent mysqld process (PID: $WSREP_SST_OPT_PARENT) " \ + wsrep_log_error "Parent mysqld process (PID: $WSREP_SST_OPT_PARENT)" \ "terminated unexpectedly." exit 32 fi @@ -1236,7 +1234,7 @@ then if [ -d "$DATA/.sst" ]; then wsrep_log_info \ - "WARNING: Stale temporary SST directory: " \ + "WARNING: Stale temporary SST directory:" \ "'$DATA/.sst' from previous state transfer, removing..." rm -rf "$DATA/.sst" fi @@ -1281,7 +1279,7 @@ then monitor_process $jpid if [ ! -s "$DATA/xtrabackup_checkpoints" ]; then - wsrep_log_error "xtrabackup_checkpoints missing, " \ + wsrep_log_error "xtrabackup_checkpoints missing," \ "failed mariabackup/SST on donor" exit 2 fi @@ -1329,7 +1327,7 @@ then find "$DATA" -type f -name '*.qp' -delete if [ $? -ne 0 ]; then wsrep_log_error \ - "Something went wrong with deletion of qpress files. " \ + "Something went wrong with deletion of qpress files." \ "Investigate" fi else @@ -1359,7 +1357,7 @@ then timeit "mariabackup prepare stage" "$INNOAPPLY" if [ $? -ne 0 ]; then - wsrep_log_error "mariabackup apply finished with errors. " \ + wsrep_log_error "mariabackup apply finished with errors." \ "Check syslog or '$INNOAPPLYLOG' for details." exit 22 fi diff --git a/scripts/wsrep_sst_rsync.sh b/scripts/wsrep_sst_rsync.sh index 94daa4d732a..b0cc8cb3066 100644 --- a/scripts/wsrep_sst_rsync.sh +++ b/scripts/wsrep_sst_rsync.sh @@ -34,7 +34,7 @@ cleanup_joiner() { local failure=0 - wsrep_log_info "Joiner cleanup: rsync PID=$RSYNC_REAL_PID, " \ + wsrep_log_info "Joiner cleanup: rsync PID=$RSYNC_REAL_PID," \ "stunnel PID=$STUNNEL_REAL_PID" if [ -n "$STUNNEL" ]; then @@ -122,7 +122,7 @@ check_pid_and_port() fi if ! check_port "$pid" "$port" "$utils"; then - wsrep_log_error "rsync or stunnel daemon port '$port' " \ + wsrep_log_error "rsync or stunnel daemon port '$port'" \ "has been taken by another program" exit 16 # EBUSY fi @@ -240,21 +240,22 @@ if [ -z "$SSTKEY" -a -z "$SSTCERT" -a -z "$SSTCA" -a -z "$SSTCAP" ]; then check_server_ssl_config fi -SSTPATH=0 if [ -n "$SSTCA" ]; then SSTCA=$(trim_string "$SSTCA") - if [ "${SSTCA%/}" != "$SSTCA" ]; then - SSTPATH=1 + if [ "${SSTCA%/}" != "$SSTCA" ] || [ -d "$SSTCA" ]; then + SSTCAP="$SSTCA" + SSTCA="" fi -elif [ -n "$SSTCAP" ]; then - SSTCA=$(trim_string "$SSTCAP") - SSTPATH=1 +fi + +if [ -n "$SSTCAP" ]; then + SSTCAP=$(trim_string "$SSTCAP") fi if [ -z "$SSLMODE" ]; then # Implicit verification if CA is set and the SSL mode # is not specified by user: - if [ -n "$SSTCA" ]; then + if [ -n "$SSTCA$SSTCAP" ]; then STUNNEL_BIN=$(commandex 'stunnel') if [ -n "$STUNNEL_BIN" ]; then SSLMODE='VERIFY_CA' @@ -269,17 +270,18 @@ if [ -n "$SSTCERT" -a -n "$SSTKEY" ]; then verify_cert_matches_key "$SSTCERT" "$SSTKEY" fi -if [ -n "$SSTCA" ]; then - if [ $SSTPATH -eq 0 ]; then +CAFILE_OPT="" +CAPATH_OPT="" +if [ -n "$SSTCA$SSTCAP" ]; then + if [ -n "$SSTCA" ]; then CAFILE_OPT="CAfile = $SSTCA" - else - CAFILE_OPT="CApath = $SSTCA" + fi + if [ -n "$SSTCAP" ]; then + CAPATH_OPT="CApath = $SSTCAP" fi if [ -n "$SSTCERT" ]; then - verify_ca_matches_cert "$SSTCA" "$SSTCERT" $SSTPATH + verify_ca_matches_cert "$SSTCERT" "$SSTCA" "$SSTCAP" fi -else - CAFILE_OPT="" fi VERIFY_OPT="" @@ -299,7 +301,7 @@ then exit 22 # EINVAL ;; esac - if [ -z "$SSTCA" ]; then + if [ -z "$SSTCA$SSTCAP" ]; then wsrep_log_error "Can't have ssl-mode='$SSLMODE' without CA file or path" exit 22 # EINVAL fi @@ -326,8 +328,8 @@ if [ -n "$SSLMODE" -a "$SSLMODE" != 'DISABLED' ]; then STUNNEL_BIN=$(commandex 'stunnel') fi if [ -n "$STUNNEL_BIN" ]; then - wsrep_log_info "Using stunnel for SSL encryption: CA: '$SSTCA', " \ - "ssl-path=$SSTPATH, ssl-mode='$SSLMODE'" + wsrep_log_info "Using stunnel for SSL encryption: CA: '$SSTCA'," \ + "CAPATH='$SSTCAP', ssl-mode='$SSLMODE'" STUNNEL="$STUNNEL_BIN $STUNNEL_CONF" fi fi @@ -347,6 +349,7 @@ then key = $SSTKEY cert = $SSTCERT ${CAFILE_OPT} +${CAPATH_OPT} foreground = yes pid = $STUNNEL_PID debug = warning @@ -438,8 +441,8 @@ EOF case $RC in 12) RC=71 # EPROTO wsrep_log_error \ - "rsync server on the other end has incompatible " \ - "protocol. Make sure you have the same version of " \ + "rsync server on the other end has incompatible" \ + "protocol. Make sure you have the same version of" \ "rsync on all nodes." ;; 22) RC=12 # ENOMEM @@ -556,7 +559,7 @@ then check_round=0 while check_pid "$STUNNEL_PID" 1 do - wsrep_log_info "lingering stunnel daemon found at startup, " \ + wsrep_log_info "Lingering stunnel daemon found at startup," \ "waiting for it to exit" check_round=$(( check_round + 1 )) if [ $check_round -eq 10 ]; then @@ -574,7 +577,7 @@ then check_round=0 while check_pid "$RSYNC_PID" 1 do - wsrep_log_info "lingering rsync daemon found at startup, " \ + wsrep_log_info "Lingering rsync daemon found at startup," \ "waiting for it to exit" check_round=$(( check_round + 1 )) if [ $check_round -eq 10 ]; then @@ -652,6 +655,7 @@ EOF key = $SSTKEY cert = $SSTCERT ${CAFILE_OPT} +${CAPATH_OPT} foreground = yes pid = $STUNNEL_PID debug = warning @@ -672,6 +676,7 @@ EOF key = $SSTKEY cert = $SSTCERT ${CAFILE_OPT} +${CAPATH_OPT} foreground = yes pid = $STUNNEL_PID debug = warning diff --git a/scripts/wsrep_sst_xtrabackup-v2.sh b/scripts/wsrep_sst_xtrabackup-v2.sh index f6f2a700ec2..d5c978c4147 100644 --- a/scripts/wsrep_sst_xtrabackup-v2.sh +++ b/scripts/wsrep_sst_xtrabackup-v2.sh @@ -36,7 +36,7 @@ ssyslog="" ssystag="" BACKUP_PID="" tcert="" -tpath=0 +tcap="" tpem="" tkey="" tmode="DISABLED" @@ -147,14 +147,14 @@ get_keys() if [ $encrypt -eq 0 ]; then if [ -n "$ealgo" -o -n "$ekey" -o -n "$ekeyfile" ]; then - wsrep_log_error "Options for encryption are specified, " \ + wsrep_log_error "Options for encryption are specified," \ "but encryption itself is disabled. SST may fail." fi return fi if [ $sfmt = 'tar' ]; then - wsrep_log_info "NOTE: key-based encryption (encrypt=1) " \ + wsrep_log_info "NOTE: key-based encryption (encrypt=1)" \ "cannot be enabled with tar format" encrypt=-1 return @@ -167,16 +167,18 @@ get_keys() exit 3 fi - if [ -z "$ekey" -a ! -r "$ekeyfile" ]; then - wsrep_log_error "FATAL: Either key must be specified " \ - "or keyfile must be readable" - exit 3 + if [ -z "$ekey" ]; then + if [ ! -r "$ekeyfile" ]; then + wsrep_log_error "FATAL: Either key must be specified" \ + "or keyfile must be readable" + exit 3 + fi fi if [ "$eformat" = 'openssl' ]; then get_openssl if [ -z "$OPENSSL_BINARY" ]; then - wsrep_log_error "If encryption using the openssl is enabled, " \ + wsrep_log_error "If encryption using the openssl is enabled," \ "then you need to install openssl" exit 2 fi @@ -195,18 +197,18 @@ get_keys() fi elif [ "$eformat" = 'xbcrypt' ]; then if [ -z "$(commandex xbcrypt)" ]; then - wsrep_log_error "If encryption using the xbcrypt is enabled, " \ + wsrep_log_error "If encryption using the xbcrypt is enabled," \ "then you need to install xbcrypt" exit 2 fi - wsrep_log_info "NOTE: xbcrypt-based encryption, " \ + wsrep_log_info "NOTE: xbcrypt-based encryption," \ "supported only from Xtrabackup 2.1.4" if [ -z "$ekey" ]; then ecmd="xbcrypt --encrypt-algo='$ealgo' --encrypt-key-file='$ekeyfile'" else - wsrep_log_warning \ - "Using the 'encrypt-key' option causes the encryption key " \ - "to be set via the command-line and is considered insecure. " \ + wsrep_log_info \ + "Using the 'encrypt-key' option causes the encryption key" \ + "to be set via the command-line and is considered insecure." \ "It is recommended to use the 'encrypt-key-file' option instead." ecmd="xbcrypt --encrypt-algo='$ealgo' --encrypt-key='$ekey'" fi @@ -350,40 +352,32 @@ get_transfer() if [ $encrypt -eq 2 ]; then wsrep_log_info \ "Using openssl based encryption with socat: with crt and pem" - if [ -z "$tpem" -o -z "$tcert" ]; then + if [ -z "$tpem" -o -z "$tcert$tcap" ]; then wsrep_log_error \ "Both PEM file and CRT file (or path) are required" exit 22 fi - if [ ! -r "$tpem" -o ! -r "$tcert" ]; then - wsrep_log_error \ - "Both PEM file and CRT file (or path) must be readable" - exit 22 + verify_ca_matches_cert "$tpem" "$tcert" "$tcap" + tcmd="$tcmd,cert='$tpem'" + if [ -n "$tcert" ]; then + tcmd="$tcmd,cafile='$tcert'" fi - verify_ca_matches_cert "$tcert" "$tpem" $tpath - if [ $tpath -eq 0 ]; then - tcmd="$tcmd,cert='$tpem',cafile='$tcert'" - else - tcmd="$tcmd,cert='$tpem',capath='$tcert'" + if [ -n "$tcap" ]; then + tcmd="$tcmd,capath='$tcap'" fi stagemsg="$stagemsg-OpenSSL-Encrypted-2" - wsrep_log_info "$action with cert=$tpem, ca=$tcert" + wsrep_log_info "$action with cert='$tpem', ca='$tcert', capath='$tcap'" elif [ $encrypt -eq 3 -o $encrypt -eq 4 ]; then wsrep_log_info \ "Using openssl based encryption with socat: with key and crt" if [ -z "$tpem" -o -z "$tkey" ]; then - wsrep_log_error "Both certificate file (or path) " \ - "and key file are required" - exit 22 - fi - if [ ! -r "$tpem" -o ! -r "$tkey" ]; then - wsrep_log_error "Both certificate file (or path) " \ - "and key file must be readable" + wsrep_log_error "Both the certificate file (or path) and" \ + "the key file are required" exit 22 fi verify_cert_matches_key "$tpem" "$tkey" stagemsg="$stagemsg-OpenSSL-Encrypted-3" - if [ -z "$tcert" ]; then + if [ -z "$tcert$tcap" ]; then if [ $encrypt -eq 4 ]; then wsrep_log_error \ "Peer certificate file (or path) required if encrypt=4" @@ -392,14 +386,11 @@ get_transfer() # no verification CN_option="" tcmd="$tcmd,cert='$tpem',key='$tkey',verify=0" - wsrep_log_info "$action with cert=$tpem, key=$tkey, verify=0" + wsrep_log_info \ + "$action with cert='$tpem', key='$tkey', verify=0" else # CA verification - if [ ! -r "$tcert" ]; then - wsrep_log_error "Certificate file or path must be readable" - exit 22 - fi - verify_ca_matches_cert "$tcert" "$tpem" $tpath + verify_ca_matches_cert "$tpem" "$tcert" "$tcap" if [ -n "$WSREP_SST_OPT_REMOTE_USER" ]; then CN_option=",commonname='$WSREP_SST_OPT_REMOTE_USER'" elif [ "$WSREP_SST_OPT_ROLE" = 'joiner' -o $encrypt -eq 4 ] @@ -410,12 +401,15 @@ get_transfer() else CN_option=",commonname='$WSREP_SST_OPT_HOST_UNESCAPED'" fi - if [ $tpath -eq 0 ]; then - tcmd="$tcmd,cert='$tpem',key='$tkey',cafile='$tcert'" - else - tcmd="$tcmd,cert='$tpem',key='$tkey',capath='$tcert'" + tcmd="$tcmd,cert='$tpem',key='$tkey'" + if [ -n "$tcert" ]; then + tcmd="$tcmd,cafile='$tcert'" + fi + if [ -n "$tcap" ]; then + tcmd="$tcmd,capath='$tcap'" fi - wsrep_log_info "$action with cert=$tpem, key=$tkey, ca=$tcert" + wsrep_log_info "$action with cert='$tpem', key='$tkey'," \ + "ca='$tcert', capath='$tcap'" fi else wsrep_log_info "Unknown encryption mode: encrypt=$encrypt" @@ -502,19 +496,20 @@ check_server_ssl_config() "$tkey" != "$tkey2" ] then wsrep_log_info \ - "new ssl configuration options (ssl-ca[path], ssl-cert " \ - "and ssl-key) are ignored by SST due to presence " \ + "new ssl configuration options (ssl-ca[path], ssl-cert" \ + "and ssl-key) are ignored by SST due to presence" \ "of the tca[path], tcert and/or tkey in the [sst] section" fi fi if [ -n "$tcert" ]; then tcert=$(trim_string "$tcert") - if [ "${tcert%/}" != "$tcert" ]; then - tpath=1 + if [ "${tcert%/}" != "$tcert" ] || [ -d "$tcert" ]; then + tcap="$tcert" + tcert="" fi - elif [ -n "$tcap" ]; then - tcert=$(trim_string "$tcap") - tpath=1 + fi + if [ -n "$tcap" ]; then + tcap=$(trim_string "$tcap") fi } @@ -535,11 +530,13 @@ read_cnf() if [ 0 -eq $encrypt -a -n "$tpem" -a -n "$tkey" ] then encrypt=3 # enable cert/key SSL encyption - # avoid CA verification if not set explicitly: - # nodes may happen to have different CA if self-generated - # zeroing up tcert does the trick - [ "${tmode#VERIFY}" != "$tmode" ] || tcert="" + # nodes may happen to have different CA if self-generated, + # zeroing up tcert and tcap does the trick: + if [ "${tmode#VERIFY}" = "$tmode" ]; then + tcert="" + tcap="" + fi fi fi elif [ $encrypt -eq 1 ]; then @@ -553,8 +550,9 @@ read_cnf() fi fi - wsrep_log_info "SSL configuration: CA='$tcert', CERT='$tpem'," \ - "KEY='$tkey', MODE='$tmode', encrypt='$encrypt'" + wsrep_log_info "SSL configuration: CA='$tcert', CAPATH='$tcap'," \ + "CERT='$tpem', KEY='$tkey', MODE='$tmode'," \ + "encrypt='$encrypt'" sockopt=$(parse_cnf sst sockopt "") progress=$(parse_cnf sst progress "") @@ -787,14 +785,14 @@ recv_joiner() popd 1>/dev/null if [ ${RC[0]} -eq 124 ]; then - wsrep_log_error "Possible timeout in receiving first data from " \ + wsrep_log_error "Possible timeout in receiving first data from" \ "donor in gtid stage: exit codes: ${RC[@]}" exit 32 fi for ecode in "${RC[@]}"; do if [ $ecode -ne 0 ]; then - wsrep_log_error "Error while getting data from donor node: " \ + wsrep_log_error "Error while getting data from donor node:" \ "exit codes: ${RC[@]}" exit 32 fi @@ -803,7 +801,7 @@ recv_joiner() if [ $checkf -eq 1 ]; then if [ ! -r "$MAGIC_FILE" ]; then # this message should cause joiner to abort - wsrep_log_error "receiving process ended without creating " \ + wsrep_log_error "receiving process ended without creating" \ "'$MAGIC_FILE'" wsrep_log_info "Contents of datadir" wsrep_log_info $(ls -l "$dir/"*) @@ -838,7 +836,7 @@ send_donor() for ecode in "${RC[@]}"; do if [ $ecode -ne 0 ]; then - wsrep_log_error "Error while sending data to joiner node: " \ + wsrep_log_error "Error while sending data to joiner node:" \ "exit codes: ${RC[@]}" exit 32 fi @@ -852,7 +850,7 @@ monitor_process() while true ; do if ! ps -p "$WSREP_SST_OPT_PARENT" >/dev/null 2>&1; then wsrep_log_error \ - "Parent mysqld process (PID: $WSREP_SST_OPT_PARENT) " \ + "Parent mysqld process (PID: $WSREP_SST_OPT_PARENT)" \ "terminated unexpectedly." kill -- -"$WSREP_SST_OPT_PARENT" exit 32 @@ -870,15 +868,15 @@ XB_REQUIRED_VERSION="2.3.5" XB_VERSION=`$BACKUP_BIN --version 2>&1 | grep -oe '[0-9]\.[0-9][\.0-9]*' | head -n1` if [ -z "$XB_VERSION" ]; then - wsrep_log_error "FATAL: Cannot determine the $BACKUP_BIN version. " \ - "Needs xtrabackup-$XB_REQUIRED_VERSION or higher to " \ + wsrep_log_error "FATAL: Cannot determine the $BACKUP_BIN version." \ + "Needs xtrabackup-$XB_REQUIRED_VERSION or higher to" \ "perform SST" exit 2 fi if ! check_for_version "$XB_VERSION" "$XB_REQUIRED_VERSION"; then - wsrep_log_error "FATAL: The $BACKUP_BIN version is $XB_VERSION. " \ - "Needs xtrabackup-$XB_REQUIRED_VERSION or higher to " \ + wsrep_log_error "FATAL: The $BACKUP_BIN version is $XB_VERSION." \ + "Needs xtrabackup-$XB_REQUIRED_VERSION or higher to" \ "perform SST" exit 2 fi @@ -1101,7 +1099,7 @@ then iopts="--databases-exclude='lost+found'${iopts:+ }$iopts" if [ ${FORCE_FTWRL:-0} -eq 1 ]; then - wsrep_log_info "Forcing FTWRL due to environment variable " \ + wsrep_log_info "Forcing FTWRL due to environment variable" \ "FORCE_FTWRL equal to $FORCE_FTWRL" iopts="--no-backup-locks${iopts:+ }$iopts" fi @@ -1128,7 +1126,7 @@ then set -e if [ ${RC[0]} -ne 0 ]; then - wsrep_log_error "innobackupex finished with error: ${RC[0]}. " \ + wsrep_log_error "innobackupex finished with error: ${RC[0]}." \ "Check syslog or '$INNOBACKUPLOG' for details" exit 22 elif [ ${RC[$(( ${#RC[@]}-1 ))]} -eq 1 ]; then @@ -1258,7 +1256,7 @@ then if ! ps -p "$WSREP_SST_OPT_PARENT" >/dev/null 2>&1 then - wsrep_log_error "Parent mysqld process (PID: $WSREP_SST_OPT_PARENT) " \ + wsrep_log_error "Parent mysqld process (PID: $WSREP_SST_OPT_PARENT)" \ "terminated unexpectedly." exit 32 fi @@ -1267,7 +1265,7 @@ then if [ -d "$DATA/.sst" ]; then wsrep_log_info \ - "WARNING: Stale temporary SST directory: " \ + "WARNING: Stale temporary SST directory:" \ "'$DATA/.sst' from previous state transfer, removing..." rm -rf "$DATA/.sst" fi @@ -1312,7 +1310,7 @@ then monitor_process $jpid if [ ! -s "$DATA/xtrabackup_checkpoints" ]; then - wsrep_log_error "xtrabackup_checkpoints missing, " \ + wsrep_log_error "xtrabackup_checkpoints missing," \ "failed xtrabackup/SST on donor" exit 2 fi @@ -1362,7 +1360,7 @@ then find "$DATA" -type f -name '*.qp' -delete if [ $? -ne 0 ]; then wsrep_log_error \ - "Something went wrong with deletion of qpress files. " \ + "Something went wrong with deletion of qpress files." \ "Investigate" fi else @@ -1392,13 +1390,11 @@ then timeit "Xtrabackup prepare stage" "$INNOAPPLY" if [ $? -ne 0 ]; then - wsrep_log_error "xtrabackup apply finished with errors. " \ + wsrep_log_error "xtrabackup apply finished with errors." \ "Check syslog or '$INNOAPPLYLOG' for details." exit 22 fi - # [ -f "$INNOAPPLYLOG" ] && rm "$INNOAPPLYLOG" - MAGIC_FILE="$TDATA/$INFO_FILE" wsrep_log_info "Moving the backup to $TDATA" diff --git a/scripts/wsrep_sst_xtrabackup.sh b/scripts/wsrep_sst_xtrabackup.sh index 2d24626984d..de7b771bd2d 100644 --- a/scripts/wsrep_sst_xtrabackup.sh +++ b/scripts/wsrep_sst_xtrabackup.sh @@ -17,7 +17,7 @@ # MA 02110-1335 USA. # Optional dependencies and options documented here: -# http://www.percona.com/doc/percona-xtradb-cluster/manual/xtrabackup_sst.html +# https://www.percona.com/doc/percona-xtradb-cluster/manual/xtrabackup_sst.html # Make sure to read that before proceeding! . $(dirname "$0")/wsrep_sst_common diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c index 8ab7565a666..08f0905e044 100644 --- a/vio/viosslfactories.c +++ b/vio/viosslfactories.c @@ -178,6 +178,12 @@ new_VioSSLFd(const char *key_file, const char *cert_file, struct st_VioSSLFd *ssl_fd; long ssl_ctx_options= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; DBUG_ENTER("new_VioSSLFd"); + + if (ca_file && ! ca_file[0]) ca_file = NULL; + if (ca_path && ! ca_path[0]) ca_path = NULL; + if (crl_file && ! crl_file[0]) crl_file = NULL; + if (crl_path && ! crl_path[0]) crl_path = NULL; + DBUG_PRINT("enter", ("key_file: '%s' cert_file: '%s' ca_file: '%s' ca_path: '%s' " "cipher: '%s' crl_file: '%s' crl_path: '%s' ", @@ -308,6 +314,11 @@ new_VioSSLConnectorFd(const char *key_file, const char *cert_file, struct st_VioSSLFd *ssl_fd; int verify= SSL_VERIFY_PEER; + if (ca_file && ! ca_file[0]) ca_file = NULL; + if (ca_path && ! ca_path[0]) ca_path = NULL; + if (crl_file && ! crl_file[0]) crl_file = NULL; + if (crl_path && ! crl_path[0]) crl_path = NULL; + /* Turn off verification of servers certificate if both ca_file and ca_path is set to NULL @@ -339,6 +350,12 @@ new_VioSSLAcceptorFd(const char *key_file, const char *cert_file, { struct st_VioSSLFd *ssl_fd; int verify= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE; + + if (ca_file && ! ca_file[0]) ca_file = NULL; + if (ca_path && ! ca_path[0]) ca_path = NULL; + if (crl_file && ! crl_file[0]) crl_file = NULL; + if (crl_path && ! crl_path[0]) crl_path = NULL; + if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file, ca_path, cipher, FALSE, error, crl_file, crl_path))) |